ASA Radius server

Unanswered Question
Sep 22nd, 2009
User Badges:
  • Purple, 4500 points or more

All,


I have an ASA at a DR site that I would like to be able to have it authenticate our telnet sessions via radius. The problem is that the radius server is at 10.10.10.52 and it would be out of the management interface. If I change the radius server configuration to point to the management interface instead of the inside interface, this works fine. I would LIKE to be able to have the same IP address on both the management and inside interfaces because if our main site goes down, then this ASA serves our VPN connections and authenticates to the same radius server. If the radius server is set to the management interface and the link between the DR and corporate goes down, then no one can authenticate if the corporate site were to go down. (We noticed this from a DR test over the weekend.)


My first thought was to create another radius server pointing to the same address on a different interface and change my aaa lines to reflect which radius server it should use, but because the same inside ip is used on this ASA as our corporate site, then this wouldn't work. The management ip address is 10.20.20.1 and the inside ip address is 10.10.10.67. Is there a way work around this? I don't think statics will work since the 10.10.10.0/24 is connected.


Thanks,

John

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Yudong Wu Tue, 09/22/2009 - 13:10
User Badges:
  • Gold, 750 points or more

Not clear with your question but here is the behavior which I got on ASA version 8.0.

1. You can use "aaa-server (intf-name) host" command to point to the same aaa-server IP with different interface name.

2. The interface in the above command must be the same interface from routing point of view to reach AAA server. If not, the packet won't be sent to AAA server.

3. Source IP of AAA packet will be the ip on the outgoing interface of ASA. Therefore, if ASA will use different interface to reach aaa-server when in different situation, AAA server will see a different source IP. In this case, you must add both IPs as AAA client on AAA server.


HTH.


Actions

This Discussion